Nessus Scan Report
This report gives details on hosts that were tested and issues that were found. Please follow the recommended steps and procedures to eradicate these threats.

Scan Details
Hosts which were alive and responding during test 1
Number of security holes found 2
Number of security warnings found 11


Host List
Host(s) Possible Issue
192.168.1.7 Security hole(s) found
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
192.168.1.7 ssh (22/tcp) Security warning(s) found
192.168.1.7 ftp (21/tcp) Security notes found
192.168.1.7 http (80/tcp) Security warning(s) found
192.168.1.7 netbios-ssn (139/tcp) Security hole found
192.168.1.7 svrloc (427/tcp) No Information
192.168.1.7 printer (515/tcp) No Information
192.168.1.7 afpovertcp (548/tcp) Security hole found
192.168.1.7 ipp (631/tcp) Security warning(s) found
192.168.1.7 ntp (123/udp) Security notes found
192.168.1.7 general/icmp Security notes found
192.168.1.7 unknown (5353/udp) Security notes found
192.168.1.7 general/udp Security notes found
192.168.1.7 general/tcp Security warning(s) found
192.168.1.7 netbios-ns (137/udp) Security warning(s) found


Security Issues and Fixes: 192.168.1.7
Type Port Issue and Fix
Warning ssh (22/tcp)
The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.

These protocols are not completely cryptographically
safe so they should not be used.

Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'

Risk factor : Low
Nessus ID : 10882
Informational ssh (22/tcp) An ssh server is running on this port
Nessus ID : 10330
Informational ssh (22/tcp) Remote SSH version : SSH-1.99-OpenSSH_3.6.1p1+CAN-2003-0693

Nessus ID : 10267
Informational ssh (22/tcp) The remote SSH daemon supports the following versions of the
SSH protocol :

. 1.33
. 1.5
. 1.99
. 2.0


SSHv1 host key fingerprint : 89:f1:33:dc:d7:9a:31:b7:98:f0:e3:3c:35:1f:f2:cb
SSHv2 host key fingerprint : e8:1b:32:de:36:60:19:7b:9f:0a:06:0e:7b:1d:2c:af

Nessus ID : 10881
Informational ftp (21/tcp) An FTP server is running on this port.
Here is its banner :
220 OSX-HoneyPot.local FTP server (lukemftpd 1.1) ready.
Nessus ID : 10330
Informational ftp (21/tcp) Remote FTP server banner :
220 OSX-HoneyPot.local FTP server (lukemftpd 1.1) ready.

Nessus ID : 10092
Informational ftp (21/tcp) Remote FTP server banner :
220 OSX-HoneyPot.local FTP server (lukemftpd 1.1) ready.
Nessus ID : 10092
Warning http (80/tcp)
The remote web server seems to have its default welcome page set.
It probably means that this server is not used at all.

Solution : Disable this service, as you do not use it
Risk factor : Low
Nessus ID : 11422
Informational http (80/tcp) A web server is running on this port
Nessus ID : 10330
Informational http (80/tcp) The following directories were discovered:
/cgi-bin, /icons, /manual

While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards

Nessus ID : 11032
Informational http (80/tcp) The remote web server type is :

Apache/1.3.29 (Darwin)


Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
Nessus ID : 10107
Informational http (80/tcp) An information leak occurs on Apache based web servers
whenever the UserDir module is enabled. The vulnerability allows an external
attacker to enumerate existing accounts by requesting access to their home
directory and monitoring the response.


Solution:
1) Disable this feature by changing 'UserDir public_html' (or whatever) to
'UserDir disabled'.

Or

2) Use a RedirectMatch rewrite rule under Apache -- this works even if there
is no such entry in the password file, e.g.:
RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1

Or

3) Add into httpd.conf:
ErrorDocument 404 http://localhost/sample.html
ErrorDocument 403 http://localhost/sample.html
(NOTE: You need to use a FQDN inside the URL for it to work properly).

Additional Information:
http://www.securiteam.com/unixfocus/5WP0C1F5FI.html


Risk factor : Low
CVE : CAN-2001-1013
BID : 3335
Nessus ID : 10766
Vulnerability netbios-ssn (139/tcp) The following shares can be accessed using a NULL session :

- IPC$ - (readable?, writeable?)


Solution : To restrict their access under WindowsNT, open the explorer, do a right click on each,
go to the 'sharing' tab, and click on 'permissions'
Risk factor : High
CVE : CAN-1999-0519, CAN-1999-0520
BID : 8026
Nessus ID : 10396
Warning netbios-ssn (139/tcp) Here is the list of the SMB shares of this host :

IPC$ -
ADMIN$ -


This is potentially dangerous as this may help the attack
of a potential hacker.

Solution : filter incoming traffic to this port
Risk factor : Medium
Nessus ID : 10395
Warning netbios-ssn (139/tcp) The host Security Identifier (SID) can be obtained remotely. Its value is :

OSX-HONEYPOT : 5-21-2048677180-2056306105--336065392

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859
Warning netbios-ssn (139/tcp) The host SID could be used to enumerate the names of the local users
of this host.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : unknown (id 501)
- root (id 1000)
- root (id 1001)
- daemon (id 1002)
- daemon (id 1003)
- kmem (id 1005)
- sys (id 1007)
- tty (id 1009)
- operator (id 1011)
- mail (id 1013)
- bin (id 1015)
- staff (id 1041)
- smmsp (id 1050)
- smmsp (id 1051)
- lp (id 1052)
- lp (id 1053)
- postfix (id 1054)
- postfix (id 1055)
- postdrop (id 1057)
- guest (id 1063)
- utmp (id 1091)
- uucp (id 1133)
- dialer (id 1137)
- network (id 1139)
- www (id 1140)
- www (id 1141)
- eppc (id 1142)
- eppc (id 1143)
- mysql (id 1148)
- mysql (id 1149)
- sshd (id 1150)
- sshd (id 1151)
- qtss (id 1152)
- qtss (id 1153)
- cyrus (id 1154)
- cyrus (id 1155)
- mailman (id 1156)
- mailman (id 1157)
- appserver (id 1158)
- appserver (id 1159)
- admin (id 1161)
- appserveradm (id 1163)
- unknown (id 1198)
- unknown (id 1199)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10860
Warning netbios-ssn (139/tcp) Here is the browse list of the remote host :

OSX-HONEYPOT -


This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for

Solution : filter incoming traffic to this port
Risk factor : Low

Nessus ID : 10397
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Informational netbios-ssn (139/tcp)
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html


All the smb tests will be done as ''/'whatever' in domain WORKGROUP
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494
Nessus ID : 10394
Informational netbios-ssn (139/tcp) The remote native lan manager is : Samba 3.0.2
The remote Operating System is : Unix
The remote SMB Domain Name is : WORKGROUP

Nessus ID : 10785
Vulnerability afpovertcp (548/tcp) This AppleShare File Server allows the 'guest' user to connect.

Nessus ID : 10666
Informational afpovertcp (548/tcp) This host is running an AppleShare File Services over IP.
Machine type: Macintosh
Server name: OSX HoneyPot
UAMs: DHCAST128/DHX2/Cleartxt Passwrd/No User Authent
AFP Versions: AFP3.1/AFPX03/AFP2.2

Nessus ID : 10666
Warning ipp (631/tcp)
It seems that your web server tries to hide its version
or name, which is a good thing.
However, using a special crafted request, Nessus was able
to determine that is is running :
CUPS/1.1

Risk factor : None
Solution : Fix your configuration.
Nessus ID : 11239
Warning ipp (631/tcp)
Some Web Servers use a file called /robot(s).txt to make search engines and
any other indexing tools visit their WebPages more frequently and
more efficiently.

By connecting to the server and requesting the /robot(s).txt file, an
attacker may gain additional information about the system they are
attacking.

Such information as, restricted directories, hidden directories, cgi script
directories and etc. Take special care not to tell the robots not to index
sensitive directories, since this tells attackers exactly which of your
directories are sensitive.

The file 'robots.txt' contains the following:
#
# "$Id: robots.txt,v 1.1.1.1 2003/04/11 21:07:24 jlovell Exp $"
#
# This file tells search engines not to index your CUPS server.
#
# Copyright 1993-2003 by Easy Software Products.
#
# These coded instructions, statements, and computer programs are the
# property of Easy Software Products and are protected by Federal
# copyright law. Distribution and use rights are outlined in the file
# "LICENSE.txt" which should have been included with this file. If this
# file is missing or damaged please contact Easy Software Products
# at:
#
# Attn: CUPS Licensing Information
# Easy Software Products
# 44141 Airport View Drive, Suite 204
# Hollywood, Maryland 20636-3111 USA
#
# Voice: (301) 373-9600
# EMail: cups-info@cups.org
# WWW: http://www.cups.org
#

User-agent: *
Disallow: /

#
# End of "$Id: robots.txt,v 1.1.1.1 2003/04/11 21:07:24 jlovell Exp $".
#



Risk factor : Medium
Nessus ID : 10302
Warning ipp (631/tcp) It seems that the PUT method is enabled on your web server
Although we could not exploit this, you'd better disable it
Solution : disable this method
Risk factor : Serious
Nessus ID : 10498
Informational ipp (631/tcp) A web server is running on this port
Nessus ID : 10330
Informational ipp (631/tcp) The following CGI have been discovered :

Syntax : cginame (arguments [default value])

/admin/ (op [add-class] )
/jobs (which_jobs [completed] )

Nessus ID : 10662
Informational ipp (631/tcp) The remote web server type is :

CUPS/1.1

Solution : We recommend that you configure (if possible) your web server to return
a bogus Server header in order to not leak information.

Nessus ID : 10107
Informational ipp (631/tcp) The following PDF files (.pdf) are available on the remote server :
/svd.pdf
/stp.pdf
/translation.pdf
/ssr.pdf
/sps.pdf
/sdd.pdf
/idd.pdf
/ipp.pdf
/cmp.pdf
/spm.pdf
/sam.pdf
/sum.pdf
/overview.pdf


You should make sure that none of these files contain confidential or
otherwise sensitive information.

An attacker may use these files to gain a more intimate knowledge of
your organization and eventually use them do perform social engineering
attacks (abusing the trust of the personnel of your company).

Solution : sensitive files should not be accessible by everyone, but only
by authenticated users.
Nessus ID : 11419
Informational ntp (123/udp) It is possible to determine a lot of information about the remote host
by querying the NTP (Network Time Protocol) variables - these include
OS descriptor, and time settings.

It was possible to gather the following information from the remote NTP host :

version='ntpd 4.1.1@1.786 Fri Sep 12 18:30:03 PDT 2003 (1)',
processor='Power Macintosh', system='Darwin7.5.0', leap=3, stratum=16,
precision=-18, rootdelay=0.000, rootdispersion=1.125, peer=0,
refid=0.0.0.0, reftime=0x00000000.00000000, poll=4,
clock=0xc4e0ff1a.a535b91f, state=0, offset=0.000, frequency=0.000,
jitter=0.004, stability=0.000



Quickfix: Set NTP to restrict default access to ignore all info packets:
restrict default ignore

Risk factor : Low
Nessus ID : 10884
Informational general/icmp Here is the route recorded between 192.168.1.10 and 192.168.1.7 :
192.168.1.7.

Nessus ID : 12264
Informational unknown (5353/udp)
The remote host is running the RendezVous (also known as ZeroConf or mDNS)
protocol.

This protocol allows anyone to dig information from the remote host, such
as its operating system type and exact version, its hostname, and the list
of services it is running.

We could extract the following information :

Computer name : OSX-HoneyPot
Ethernet addr : 00:0d:93:c0:f2:ac
Computer Type : PowerBook6,4
Operating System : Mac OS X 10.3.5

Solution : You should filter incoming traffic to this port if you do not use
this protocol.

Risk Factor : Low
Nessus ID : 12218
Informational general/udp For your information, here is the traceroute to 192.168.1.7 :
192.168.1.10
192.168.1.7

Nessus ID : 10287
Warning general/tcp
The remote host might be vulnerable to a sequence number approximation
bug, which may allow an attacker to send spoofed RST packets to the remote
host and close established connections.

This may cause problems for some dedicated services (BGP, a VPN over
TCP, etc...).

Solution : See http://www.securityfocus.com/bid/10183/solution/
Risk factor : Medium
CVE : CAN-2004-0230
BID : 10183
Other references : OSVDB:4030, IAVA:2004-A-0007
Nessus ID : 12213
Informational general/tcp The remote host is running Mac OS X 10.3.5
Nessus ID : 11936
Warning netbios-ns (137/udp) The following 5 NetBIOS names have been gathered :
OSX-HONEYPOT = This is the computer name registered for workstation services by a WINS client.
OSX-HONEYPOT = This is the current logged in user registered for this workstation.
OSX-HONEYPOT = Computer name
WORKGROUP = Workgroup / Domain name
WORKGROUP = Workgroup / Domain name (part of the Browser elections)

. This SMB server seems to be a SAMBA server (this is not a security
risk, this is for your information). This can be told because this server
claims to have a null MAC address

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150

This file was generated by Nessus, the open-sourced security scanner.